CVE-2024-21532

HIGH

ggit - OS Command Injection via fetchTags API

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-21532. PoCs published by lirantal.

AI-analyzed exploit summary The repository contains a functional proof-of-concept for CVE-2024-21532, demonstrating a command injection vulnerability in the `ggit` npm package. The exploit leverages unsafe string concatenation in the `fetchTags` API, allowing arbitrary command execution via the `exec()` Node.js child process API.

Description

All versions of the package ggit are vulnerable to Command Injection via the fetchTags(branch) API, which allows user input to specify the branch to be fetched and then concatenates this string along with a git command which is then passed to the unsafe exec() Node.js child process API.

Exploits (1)

nomisec WORKING POC
by lirantal · poc
https://github.com/lirantal/CVE-2024-21532-PoC-ggit

The repository contains a functional proof-of-concept for CVE-2024-21532, demonstrating a command injection vulnerability in the `ggit` npm package. The exploit leverages unsafe string concatenation in the `fetchTags` API, allowing arbitrary command execution via the `exec()` Node.js child process API.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: ggit npm package (versions 2.4.12 and earlier)
No auth needed
Prerequisites: Installation of vulnerable `ggit` package (version 2.4.12 or earlier) · Ability to execute JavaScript code in the target environment
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 7.3
EPSS 0.0036
EPSS Percentile 59.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-78
Status published
Products (2)
n/a/ggit
npm/ggit 0npm
Published Oct 08, 2024
Tracked Since Feb 18, 2026